Introduction to the NHS Information Governance Requirements

Introduction to the NHS Information Governance Requirements 2 Version April 2014 Information Governance ensures necessary safeguards for, and appropriate use of, patient and personal information. The widely reported high profile data losses by Government departments during 2007/08 increased the information governance priority within the NHS. The NHS Operating Framework 2009/10 introduced a requirement that by the end of 2009/10, all NHS providers must be able to provide annual information governance assurances to their commissioners regarding the management of personal information within the provider organisation. At present this is not a requirement of General Ophthalmic Services (GOS) contract. Community services (formerly Enhanced Services) commissioned from April 2014 will be done via the NHS Standard Contract which does require information governance assurances. These assurances are to be evidenced by the completion of the NHS Information Governance Toolkit (IGT), an online assessment tool, available at https://www.igt.hscic.gov.uk/ There are 16 information governance requirements for optical practices. The levels of achievement within each requirement range from 0 to 3, however the terms of the NHS Standard Contract only require compliance to level 2. Therefore this guidance will only go to Level 2. Completing this workbook will help you assess your current level of compliance and plan the steps needed to improve your optical practice s level of compliance. Information Governance assessments will need to be completed and submitted annually by the 31st March each year to demonstrate standards are being improved or maintained and will if necessary, need to be supported by a workplan which the NHS England Area Team will monitor. Action by 31 March 2015. All optical practices that contract directly to provide community services are required to complete an online baseline assessment against the requirements in the Information Governance Toolkit by 31 March 2015. This will provide a baseline for improvements to be carried out where necessary. To do this, optical practices will need to appoint an information governance Lead(s) who will complete the baseline assessment on the online Information Governance Toolkit. This is simply an honest evaluation of the optical practice s current position in regards to each requirement. This workbook will support understanding the requirements and completing the assessment. It is recognised that for many of the requirements, whilst optical practices already have processes in place that ensure the secure handling of information, these may not be fully documented. This means that optical practices won t have the evidence needed to meet Level 1 or 2 of the NHS requirements. It is therefore accepted that for many optical practices some requirements will need to be base-lined at Level 0.

3 Action by 31 March 2015 By 31 March 2015 community optical practices will be expected to attain Level 2 against the Eye Care information governance requirements. This workbook aims to provide guidance and support for optical practices in meeting the NHS Information Governance requirements, completing the online Information Governance Toolkit and compiling appropriate evidence to demonstrate to an NHS Area Team compliance with the requirements. In this workbook, for each requirement, there is a summary of the different levels of achievement, a list of the evidence required to demonstrate compliance, information about template resources and tools that are available to support meeting the requirements and space to make notes. The Requirements Each NHS information governance requirement is numbered. Not all of the NHS requirements apply to optical practices, which is why the numbering of the optical practice requirements is not sequential. Within this document, a specific requirement is referred to by its three digits number. For example, the Information Asset Registry number is 316. The levels of achievement within each requirement range from Level 0 to Level 3 where Level 0 is non-compliance and Level 3 demonstrates an exemplary level of compliance. For a particular level to be achieved the optical practice must also be able to demonstrate compliance with the previous levels, for example to achieve Level 2, the optical practice must be able to show compliance with both Level 1 and Level 2 of the requirement. Evidence of Compliance The evidence suggestions included in this workbook have been designed by the Optical Confederation to meet the requirements of the National Information Governance Toolkit for Eye Care. This evidence would allow an optical practice to demonstrate to their NHS Area Team compliance with the requirements; however the evidence suggested in this workbook is not prescriptive. Alternative pieces of evidence could serve the same purpose. For example, to support the requirement that all staff undertake appropriate training in Information Governance, an optical practice may choose to develop their own in-house training programme rather than use the nationally produced resources; likewise, rather than developing standard operating procedures (SOPs) an optical practice may choose to document business process guidance or prepare policies. An optical practice may also choose to use a different structure, content and format to the nationally provided templates and some of the process guidance and procedures may be encompassed in existing optical practice internal governance documents which have a wider scope than that outlined in the national templates. There is space in the workbook to note the evidence the optical practice has, for example the location of SOPs and the name of the senior staff member that has approved the SOP. It may be helpful to create an Information Governance folder to store your evidence for each requirement and as a central resource on Information Governance for staff to refer to; alternatively evidence could be stapled into the appropriate page in the workbook. Care should be taken to ensure information which is either commercially sensitive or contains personal information is not shared with NHS Area Teams, for example the information asset register (316) or individual staff employment contracts (116). Appendix 3 contains general information on data protection which may be a useful reference for these requirements.

4 Version April 2014 Multiples Where an optical practice is part of a multiple chain, one possible approach is that the chain s Head Office will have assumed a leadership role in the delivery of Information Governance with many of the actions required to achieve compliance with the requirements undertaken by specialist staff based at the organisation s Head Office. In many cases local tailoring will also be required in order for each optical practice to provide the necessary assurances to their NHS Area Team. Where supporting evidence is not accessible locally, one approach could be for the Head Office to provide each of its sites with a supporting statement/ declaration as evidence of compliance. Examples of where this scenario is likely to occur include if the optical practice information asset register is held centrally (316), where review of any data flows outside of the UK are undertaken centrally (209) and confirmation that personnel departments have ensured that staff and third party contractors have appropriate confidentiality clauses in contracts (116). LOC Companies If community services are provided on behalf of an LOC company then only the LOC company will complete the toolkit. The company will then require a signed declaration from each sub contracted optical practice that they comply with IGT level 2. This can be done by downloading the detailed requirement summary sheet and indicating the achieved level. An authorised signatory must then sign the document. Resources and Reference Material Templates and tools to support the completion of each requirement can be downloaded for local adaptation from the optical practice Information Governance Online Resource Centre (www.qualityinoptometry/ig). Appendices 4 6 of this workbook contain background material which may be helpful for the Information Governance Lead s reference when working through the requirements. This background material does not form part of the requirements. Completing the Information Governance Toolkit / NHS Area Team Support Appendix 2 of this workbook includes a step-by- step guide to registering for access to the Information Governance Toolkit and submitting an assessment. Quick Reference Guide to Navigating Actions Required The chart below is a quick reference guide to the key actions required to meet the optical practice information governance requirements. Full details on the requirements can be found in the relevant section of this booklet. Templates can be downloaded from the Quality in Optometry (QiO) website (www.qualityinoptometry /IG). There is also a detailed IGT summary sheet, this is available as a separate download which contains a list of the requirements and the evidence required for each level.

5 o Appoint IG Lead(s) Requirement 114 o Take time to understand the requirements (e.g. read this workbook) o Gather evidence that responsibility for certain tasks has been assigned to someone where required o Develop an IG policy. (115) o Ensure there are appropriate contractual clauses in staff and third party contracts. (116) o Ensure staff are sufficiently trained in IG. (Booklet Introduction to Information Governance for Optical Practice staff ) (117) o Identify any overseas data transfers and put in place mitigating controls. (209) o Create a patient information leaflet in how data is handled by the optical practice. (213) o Develop a staff confidentiality code of conduct. (214) o Create an information asset register. (316) o Risk assess physical security. (317) o Resources to support mobile computing. (318) o Develop an IG incident management procedure. (320) o Put in place an IG incident log. (320) o Develop and access control procedure (321) o Map, risk assess and put in place mitigating controls for data transfers. (322) o Develop one or more procedures that cover data transfer, safe havens and seeking patient consent (208 & 308) o Ensure policies, procedures and guidance materials are signed off by an appropriately senior staff member (various) o Ensure staff have been informed of policies and procedures, where relevant. (various) o Put in place a system to monitor staff compliance with key requirements (various) o Register for access to the online IG Toolkit (Appendix 1) o Complete a Baseline assessment on the IG Toolkit (Appendix 1) o Create a work plan (N:B: This is automatically generated as an output of making a submission to the online IGT) o Start working through the optical practice work plan. o Complete Online IG Toolkit by March 2015 and generate work plan.

Requirement 114 6 Version April 2014 Has responsibility for Information Governance been assigned to an appropriate member, or members, of staff? This requires that named individuals take responsibility for coordinating, publicising and monitoring standards of information handling within the optical practice and develop and implement an information governance work plan (also known as an implementation plan). The information governance Lead(s) also need(s) to ensure that Information Governance Toolkit assessments are submitted as required. Level 0 The optical practice has not assigned Information Governance responsibilities. Level 1 The optical practice has assigned responsibilities for Information Governance to a staff member or members who have been provided with appropriate training and support to carry out the role. The optical practice has put in place an information governance work plan (also known as an improvement plan) which documents both the current level of compliance with the NHS information governance requirements for the premises and the targets that have been identified to progress to the next level of compliance. Level 2 The optical practice has implemented its information governance work plan to ensure a minimum of Level 2 compliance with each of the optical practice requirements. Hints and Tips Appointing an information governance Lead The optical practice should consider the responsibilities of an information governance Lead and decide whether these can be met by one member of staff or whether the responsibilities should be shared between a number of staff. For contractors with multiple practices, there may be a need to appoint staff both at Head Office and practice level. Those appointed do not need to be the optical practice contractor but should have sufficient seniority and authority to ensure that any necessary changes in information handling within the optical practice can be implemented and enforced. Ensuring confidentiality is already a key part of the clinical governance requirements in the optical practice contractual framework. As a contractual framework requirement, all optical practice premises must have an identifiable clinical governance lead. It is possible for the clinical governance lead to also act as the information governance Lead. There should be written assignment of information governance Lead responsibility. This could be through adding this to staff job descriptions or simply a written note of responsibility (for example, state who is responsible in the notes box).

What training and support does the information governance Lead require? 7 Information governance Lead(s) need to be sufficiently trained to undertake their key responsibilities. Training should cover data protection, security and confidentiality and Freedom of Information requirements. Where the information governance Lead is also the person responsible for data protection, confidentiality and Freedom of Information for the business, the training provided will need to be more extensive to ensure that the optical practice complies with the law and guidance in these areas. Thoroughly reading this workbook is sufficient to meet the requirement for information governance Lead training. The information governance Lead should also have access to sufficient support within the optical practice, for example if the information governance Lead is a nonoptometrist, they should have access to an optometrist for support with queries. Creating a Work plan Use this workbook to determine the optical practice s current level of compliance. All optical practices need to achieve Level 2 compliance by 31st March 2015. Appendix 1 contains a table, which you might find useful to collate information on the optical practice s current status. A separate more detailed table is available form the downloads section. On completion of the Information Governance Toolkit, there is an option to print a work plan based on the information that has been input by the optical practice. Note, the Information Governance Toolkit refers to this as an improvement plan.

8 Version April 2014 Level Evidence Required Resources Available Yes/No 1 Written assignment or responsibility to staff or members (e.g.) note below) 1 Written declaration on completion of information governance Lead training 1 Copy of information governance work plan (improvement plan). 2 Evidence of progress against the work plan/improvement plan 2 Company Only Companies will require a signed declaration from any sub contractors that the sub contractors are compliant with the above evidence requirements. - Reading this workbook is sufficient. General training resources can be found on the Online Information Governance Training Tool. Template work plan (see Appendix 1). The information Governance Toolkit creates a plan based on the information input by the optical practice. - Template declaration sheet for Companies who use sub contractors. Notes

Requirement 115 9 Does the optical practice have an information governance policy that addresses the overall requirements of information governance? Each optical practice is required to have an information governance policy which is a high level statement of the optical practice s intended approach to effectively managing information governance. The policy should outline the principles that underpin the policy, detail the optical practice s information governance procedures and set out what is expected of optical practice staff. The policy should reflect NHS information governance guidance and should be approved by a senior representative of the optical practice. Level 0 The optical practice does not have an Information Governance policy in place. Level 1 The optical practice has reviewed, updated and drawn together all relevant polices to form a comprehensive Information Governance policy. Level 2 The optical practice has an Information Governance policy that has been agreed by an appropriate senior staff member and conforms to national guidelines. Hints and Tips Suggested key content of an information governance policy includes: A section specifying why the policy is required e.g. to safeguard the movement of personal data; A summary of the procedures which underpin the policy to help ensure information will be handled securely and confidentially by the optical practice (i.e. links to related SOPs); A description of accountability and responsibility for the policy; A process for monitoring the policy; Optical practice staff duties and responsibilities for information governance (maintaining confidentiality of data, ensuring secure storage of data, and being aware of situations where disclosure may be required); and Actions to be taken if the policy is breached, e.g. sanctions against staff, remedial work on the part of those responsible for information governance procedure. A template policy can be downloaded from the online Information Governance Resource Centre or Quality in Optometry. Each optical practice will need to decide whether the template is sufficient for its needs and locally tailor the template as necessary.

10 Version April 2014 Level Evidence Required Resources Available Yes/No 1 An Information Governance Policy 2 Name of contractor representative that approved the information Governance 2 Company Only Notes Policy (e.g. Note below) Companies will require a signed declaration from any sub contractors that the sub contractors are compliant with the above evidence requirements. Template 1: Information Governance Policy - Template declaration sheet for Companies who use sub contractors.

Requirement 116 11 Do all contracts (staff, contractor and third party) contain clauses that clearly identify responsibilities for confidentiality, data protection and security? Optical practices are required to ensure that all of their contracts with staff, locums and third parties who might have access to sensitive data (e.g. cleaners) contain clauses which clearly set out their responsibilities for ensuring and maintaining confidentiality, information security and data protection. Level 0 No staff contracts have clearly identified clauses addressing confidentiality, data protection and security. Level 1 The optical practice has undertaken an audit of personnel records, and contractor and other third party contracts and determined how many of these have written contracts which contain clauses that identify responsibilities for confidentiality, data protection and information security, linked to disciplinary procedures. The optical practice has developed an action plan to update existing contracts, where necessary, and ensure all new contracts include compliance with information governance requirements as part of employment processes. Level 2 All optical practice contracts for staff, contractors and third party users who have access to confidential information include compliance with information governance requirements, as part of employment or contracting processes. Hints and Tips Ideally, the contract clause should reference the optical practice s staff confidentiality code of conduct (see information governance requirement 214) as a source of further information about how the optical practice expects its staff to behave in respect of maintaining the confidentiality and security of patient health information. A suggested contract clause for individual staff members can be found online at: www.qualityinoptometry/ig For staff members that don t have a contract of employment, for example locum optometrists or university students on temporary placement, optical practices should put in place an agreement which obligates the individuals to safeguard personal information and makes reference to the optical practice confidentiality code of conduct. The individual could be asked to sign a stand alone confidentiality contract or, where it exists, be asked to sign a written locum contract. ABDO, AOP and FODO members can seek advice on employment contracts from their relevant body.

12 Version April 2014 Care needs to be taken to ensure there are also appropriate confidentiality and nondisclosure clauses in contracts with suppliers where they may have access to personal or sensitive information, for example Practice Management system suppliers. Level Evidence Required Resources Available Yes/No 1 Example contract clauses Example contract clause available online at 2 Written confirmation that all staff have appropriate clauses in their contract. (A note here is sufficient) 2 Written confirmation that all temporary staff have appropriate stand alone confidentiality contracts. (A note here is sufficient) 2 List of third party contractors with access to personal information and written confirmation that appropriate confidentiality clauses are included in contracts (A note here is sufficient) 2 Company Only Notes Companies will require a signed declaration from any sub contractors that the sub contractors are compliant with the above evidence requirements. www.qualityinoptometry/ig - - - Template declaration sheet for Companies who use sub contractors.

Requirement 117 13 Are optical practice staff aware of their information governance responsibilities and are they provided with appropriate training? Optical practices should put in place measures to ensure that all staff members are fully informed about information governance procedures and staff should be given clear guidelines about their own responsibilities for ensuring and maintaining confidentiality, data protection and security. Level 0 The optical practice does not have documented evidence that staff are aware of information governance procedures. Level 1 The optical practice has identified key staff members requiring information governance training and ensured that appropriate training has been made available and that the availability and importance of training has been publicised to these members of staff. Level 2 The optical practice has in place a clear and communicated process for making all staff who have access to confidential information aware of available training and has ensured that all staff members who have access to confidential information have been given the opportunity and actively encouraged to undertake information governance training. Ideally all new staff members who have access to confidential information should be provided with training within a short time of taking on their post. Hints and Tips Training package: The Optical Confederation has adapted the training booklet used by pharmacy for Information Governance. This has been given the title, Introduction to Information Governance for Optical Practice Staff. The training booklet can be downloaded from the QiO Website (www.qualityinoptometry.co.uk). This booklet has been designed to be able to be printed or used as a PDF document. Online training: It is anticipated that an online training tool will be developed once funding for Information Governance has been agreed with the DoH. Other equivalent training resources may also be used to meet this requirement, for example in-house training packages produced by multiple optical practices or, where available, NHS England Area Team provided training.

14 Version April 2014 Level Evidence Required Resources Available Yes/No 1 List of training resources used. (e.g. note below) 2 Signature list confirming key staff have received training. 2 Signature list confirming all relevant staff have received training. 2 Company Only Companies will require a signed declaration from any sub contractors that the sub contractors are compliant with the above evidence requirements. Online and paper bases training packages. Staff signature list. Staff signature list. Template declaration sheet for Companies who use sub contractors. Notes

Requirement 209 15 Does the optical practice ensure that all personal data processed outside of the UK complies with the Data Protection Act 1998 and DH guidelines? DH guidelines are more restrictive than the Data Protection Act and these require that personal information is NOT transferred outside of the UK unless an appropriate assessment of risk has been undertaken and mitigating controls put in place. Optical practices are required to ensure that all personal data processed outside the UK complies with the Data Protection Act 1998 and DH guidelines. Level 0 The optical practice does not know whether or not personal data is transferred from the optical practice to countries outside of the UK. Level 1 The optical practice has carried out an assessment and documented instances where personal data is transferred to non-uk countries and whether any such transfer complies with the Data Protection Act 1998 and DH guidelines. Where necessary, the optical practice has taken measures to enable full compliance with the legal requirements and DH guidelines. Level 2 The optical practice has assessed all transfers of personal data from the optical practice to countries outside of the UK and ensures any transfers fully comply with the Data Protection Act 1998 and DH guidelines. Hints and Tips Steps for an optical practice to ensure compliance Step 1: Review the flows of personal information to external organisations to understand whether any such information flows outside of the UK, for example: If personal information is collected through an optical practice website, where is the website hosted? If an IT system is used to record information, for example the practice management system or systems to support the delivery of community services, where is this information hosted and does the supplier ensure the information remains within the UK? Where the optical practice has determined that it makes no transfers of personal information to countries outside of the UK this should be documented for audit purposes (e.g. make a note in the notes box). This would entail that the optical practice is fully compliant with this requirement.

16 Version April 2014 Step 2: If the review has identified flows of personal information to countries outside of the UK, undertake an appropriate risk assessment and put in place mitigating controls. In assessing risk, a key consideration is whether the off-shore providers security arrangements have been independently verified. For example, if the relationship is between the contractor and an international provider, has the provider achieved the recognised ISO 27001 Information Security Management standard (which includes a requirement to have independent verification)? If the relationship is with a UK provider who sub-contracts to an overseas provider, have they achieved the CFH IGSoC standards or ISO 27001? Controls could include seeking assurances from system suppliers (and, where applicable, their subcontractors) through contractual arrangements about the processes and safeguards in place for offshore data transfer. Decisions concerning the transfer of personal information to countries outside of the UK must only be taken by the contract holder, or senior member of staff who has been authorised to take that decision by the contractor. Step 3: Consider the other data protection principles before making an overseas transfer of personal data, in particular, the first principle, which in most cases will require that individuals are informed about the transfer of their information to a country outside the UK. Future proofing the arrangements: A supplier may change their arrangements over time. When contracts with suppliers are being reviewed, it is worth considering whether to include clauses that would ensure a contracted system supplier would proactively inform the optical practice if their offshore data transfer arrangements change. More information on the relevant guidance in the Data Protection Act and DH guidance can be found in Appendix 3.

17 Level Evidence Required Resources Available Yes/No 1 Evidence the optical practice has checked whether there are flows of information outside of the UK and documented these flows (e.g. note below) 2 If there are flows of information outside of the UK, evidence of assessment of compliance with the Data Protection Act and DH 2 Company Only guidance (e.g. note below) Companies will require a signed declaration from any sub contractors that the sub contractors are compliant with the above evidence requirements. - - Template declaration sheet for Companies who use sub contractors. Notes

Requirement 212 18 Version April 2014 Does the optical practice ensure that patients are generally asked before their personal information is used for purposes that are not directly related to the service for which it was collected, and that patients' decisions to restrict the disclosure of their personal information are appropriately respected? Optical practices are required to have procedures for seeking consent. These should include seeking consent to use patient information for purposes other than the service for which it was collected, and on respecting patient decisions. Level 0 The optical practice does not have documented evidence that they ensure that patients are asked before their personal information is used for purposes that are not directly related to the service for which it was collected and ensure that patient's decisions to restrict the disclosure of their personal information are appropriately respected. Level 1 The optical practice has guidelines on seeking consent to use personal information including for purposes that are not directly related to the service for which the information was collected, and on respecting patient decisions. These guidelines have been approved by a senior contractor representative. The guidelines could be added to the staff confidentiality code of conduct (Requirement 214). Level 2 The optical practice has ensured that all relevant staff members have been effectively informed about the guidelines and the need to comply with them. Hints and Tips Areas that the guidelines and procedures could cover: When and how consent should be obtained; How patients are made aware of who may have access to personal information held about them, and the extent to which the information may need to be shared; The basic premise that patients have the right to choose (i.e. consent given or not) whether or not to agree to the use or disclosure of their personal information. Note, in some cases this may impact on whether the service can be provided; The right of patients to change their decision about a disclosure before it is made; Who should obtain consent for the use of the information for a further purpose (NB while the task can be delegated, the optical practice owner remains legally responsible); Where and how consent or dissent should be recorded;

19 Answering patient questions about consent, including how to provide information about the consequences of non-disclosure to patients in a non-threatening, nonconfrontational manner; How often consent should be reviewed; and Exemptions to the requirement for consent public interest; legally required; and section 251 of the NHS Act 2006 (formerly section 60 of the Health & Social Care Act 2001). More detailed information on confidentiality, consent and the law can be found in Appendices 4 and 5. Level Evidence Required Resources Available Yes/No 1 Evidence of guidelines on seeking patient consent to use their information (this could form part of the confidentiality code of conduct) 1 Name of contractor representative that approved guidelines on seeking patient consent to use their information (note below) 2 Evidence that staff have been made aware of the guidelines e.g. staff signature list 2 Company Only Companies will require a signed declaration from any sub contractors that the sub contractors are compliant with the above evidence requirements. Staff confidentiality code of conduct. - Staff signature list Template declaration sheet for Companies who use sub contractors. Notes

Requirement 213 20 Version April 2014 Does the optical practice have a publicly available and easy to understand patient information leaflet that informs patients how their information is used, who may have access to that information, and their own rights to see and obtain copies of their records? To support patient awareness each optical practice should have an information leaflet for patients about the way that their information is used and shared. This leaflet should be placed in a part of the optical practice where patients are likely to see and read the leaflet (for example, on the front counter or in the consulting area). Level 0 The optical practice does not make any information about the use of personal information available to patients. Level 1 Basic information about the use of personal data is made available to patients. Level 2 In addition to basic information the optical practice makes more comprehensive information available via a leaflet. Hints and Tips Level 1 The optical practice contractual framework requires optical practices to have a practice leaflet which includes a notice that the optical practice complies with the Data Protection Act and the NHS Code of Practice on Confidentiality. This is sufficient to meet the Level 1 requirement. Level 2 To meet the Level 2 requirement, optical practices must make more comprehensive information available. The information leaflet should cover: How patient information is used and stored; Who is able to access patient information; How patients can gain access to their information; and Who they can talk to for more information (e.g. the optometrist). Rather than having a separate information governance leaflet, some optical practices may want to adapt and expand the content in existing practice leaflets. A professionally printed leaflet may be available to from organisations such as the Optical Confederation. Some NHS England Area Teams may have printed generic leaflets for use by health professionals in their area.

21 Level Evidence Required Resources Available Yes/No 1 Basic information for patients on confidentiality, through a leaflet or poster. 2 Comprehensive patient 2 Company Only Notes information e.g. leaflet Companies will require a signed declaration from any sub contractors that the sub contractors are compliant with the above evidence requirements. Existing practice leaflets should meet this requirement Confidentiality leaflet Template declaration sheet for Companies who use sub contractors.

Requirement 214 22 Version April 2014 Does the optical practice have a confidentiality code of conduct that provides staff with clear guidance on the disclosure of personal information? To ensure staff members are effectively informed of their obligations to keep information confidential, optical practices should develop a staff code of conduct that provides clear guidance on the disclosure of personal information. The code should be signed off by a senior staff member authorised by the contractor and should be made available to staff. Level 0 The optical practice does not have a confidentiality code of conduct for staff. Level 1 The optical practice has a confidentiality code of conduct for staff that provides clear guidance on the disclosure of personal information and which has been signed off by an appropriate senior manager. Level 2 The optical practice s approved confidentiality code of conduct has been made available to all staff members who have been effectively informed about the code and the guidance on disclosure and the need to comply with it. Hints and Tips Where an optical practice already has a general code of conduct, it may be possible to extend this rather than having a separate confidentiality code. Key components of a confidentiality code of conduct are: The legal framework governing confidentiality; Staff members individual responsibility for compliance with the law; Definition of information that is considered confidential; How to ensure information remains confidential; Guidelines on passwords, smartcards and security; The systems and processes for protecting personal information (safe havens, devices and systems for secure storage etc.); Use of email and web-based services; The circumstances under which confidential information can be disclosed; Dealing with subject access issues; Abuse of privilege in respect of viewing personal information;

23 Offsite/home working arrangements (where relevant); Who to approach for assistance with disclosure issues (e.g. information governance Lead); and Possible sanctions for breach of confidentiality. Requirement 212 requires documented guidelines on seeking patient consent for purposes other than the service for which it was collected, including the sharing of information. These guidelines could also be included in the confidentiality code of conduct. Level Evidence Required Resources Available Yes/No 1 Staff confidentiality code of conduct 1 Name of contractor representative that approved the confidentiality code of conduct (e.g. make not below) 2 Evidence that staff have been made aware of the confidentiality code of conduct e.g. staff signature list 2 Evidence that the confidentiality code of conduct is available in the optical practice. (e.g. note below where it is stored) 2 Company Only Notes Companies will require a signed declaration from any sub contractors that the sub contractors are compliant with the above evidence requirements. Confidentiality Code of Conduct - Staff signature list. - Template declaration sheet for Companies who use sub contractors.

Requirement 304 24 Version April 2014 Does the optical practice ensure that staff and all those working for or on behalf of the optical practice comply with the terms and conditions set out in the RA01 form? N.B. This will only be applicable to a handful of practices, if extra help with this requirement is needed please contact the Optical Confederation. If you have no smart cards please tick the NA box on the appropriate template document. Not Applicable (NA) If staff do not have cards subject to the RA01 terms and conditions, this requirement is not applicable. If declaring that this requirement is not applicable, make a note in the comments box on the online Information Governance Toolkit that staff do not yet have cards subject to the RA01 terms and conditions. Level 0 The optical practice does not have documented evidence that the terms and conditions set out on the RA01 form are monitored and enforced. Level 1 The optical practice does not monitor to ensure that staff comply fully with the terms and conditions set out within the RA01 form but has developed a process for doing so. The process must be agreed by an appropriate senior staff member. Level 2 The optical practice has implemented its process for monitoring and enforcing compliance with the terms and conditions set out in the RA01 form. Hints and Tips Audit checks on whether the procedures are being followed could be carried out by the information governance Lead or a senior staff member, for example the optometrist.

25 Level Evidence Required Resources Available Yes/No NA - If no staff have cads subject to the RA01 terms and conditions, this requirement is not applicable 1 Description of process to undertake compliance checks (make a note below) 2 Evidence of internal audits to assess compliance with the RA01 terms (e.g. every 6 months) 2 Evidence that the audit process is reviewed annually (e.g. date process last reviewed) 2 Company Only Companies will require a signed declaration from any sub contractors that the sub contractors are compliant with the above evidence requirements. - Audit sheet - Template declaration sheet for Companies who use sub contractors. Notes

Requirement 316 26 Version April 2014 Does the optical practice have an information asset register, encompassing information, software and hardware? Unless optical practices know the type of information assets they possess it will be very difficult to ensure that each item is adequately protected through appropriate confidentiality and security measures. Optical practices are required to maintain a record of information assets in the form of a register. Level 0 The optical practice does not have an asset register encompassing information, software and hardware. Level 1 The optical practice has assigned responsibility to a staff member to compile information about the optical practice's assets and to maintain an asset register. Level 2 The optical practice has an information asset register. Hints and Tips Content of an Information Asset Register: This should contain a list of any device that has or can access the patient record systems. Information asset owners: It is important that the asset is linked to a post rather than a person, as responsibilities linked to people tend not to get passed on when that person changed job.

27 Level Evidence Required Resources Available Yes/No 1 Evidence of assignment of responsibility for maintaining the asset register (e.g. note below) 2 Location of information asset 2 Company Only register (e.g. note below) Companies will require a signed declaration from any sub contractors that the sub contractors are compliant with the above evidence requirements. - - Template declaration sheet for Companies who use sub contractors. Notes

Requirement 317 28 Version April 2014 Does the optical practice prevent unauthorised access to the optical practice premises, equipment, records and other assets? Optical practices are required to undertake a risk assessment to identify areas at risk of unauthorised access to hardware, software and information. Where necessary, the optical practice should take steps to implement the necessary improvements. Staff should be aware of the measures to take in the event of unauthorised access. Level 0 The optical practice does not have documented evidence that they have taken measures to prevent unauthorised access to optical practice premises, equipment, records and other assets. Level 1 The optical practice has undertaken a risk assessment and has identified areas of concern but has not carried out the improvements necessary to prevent unauthorised access to the premises equipment, records and other assets. The optical practice has put in place measures to ensure that all staff are aware of what steps to take in the event of unauthorised access. Level 2 The optical practice has begun to implement any improvements necessary to prevent unauthorised access to the premises, equipment, records and other assets e.g. by developing an action plan, allocating necessary resources, etc. Hints and Tips Optical practices have well established procedures for premises security as a matter of course and large optical practice organisations often have sophisticated commercial asset and risk management procedures in place. If no security improvements are required following the risk assessment, simply note this. A template risk assessment is available. If optical practices develop their own, areas to consider are: Consultation area (ensuring paperwork such as prescriptions, record cards and referral letters containing personal information are not left unattended) Window security Back doors and fire escapes Burglar alarms Keys and staff Access Clear screen policy (e.g. use of screensavers)

29 If necessary, specialist guidance on security may be available from loss adjustment/commercial risk advisers. Level Evidence Required Resources Available Yes/No 1 Documented risk assessment Risk assessment template 1 Evidence of staff guidance on steps to take in the event of unauthorized access (e.g. note guidance below) 2 Evidence of work to implement high priority security improvements identified by risk assessment (e.g. detail below or note if none were required) 2 Company Only Notes Companies will require a signed declaration from any sub contractors that the sub contractors are compliant with the above evidence requirements. - Template declaration sheet for Companies who use sub contractors.

Requirement 318 30 Version April 2014 Does the optical practice control, monitor and audit the use of mobile computing systems to ensure their correct operation and to prevent unauthorised access? Optical practices are required to record staff use of mobile devices, provide staff with good practice guidance on the secure use of devices and ensure that the guidelines are being followed in practice. Not Applicable (N/A) This requirement only applies to optical practices using mobile computing systems (e.g. laptops and tablets). If declaring that this requirement is not applicable, make a note in the comments box on the online Information Governance Toolkit that the optical practice does not use any mobile computing systems. Level 0 The optical practice does not have documented evidence that they control, monitor and audit the use of mobile computing systems to ensure their correct operation and to prevent unauthorised access. Level 1 The optical practice keeps a record of staff use of mobile computing equipment and staff have been issued with basic guidelines on the confidentiality and security risks of using mobile computing equipment. Level 2 The optical practice has implemented procedures on security and confidentiality including more comprehensive guidance for staff, so that the use of mobile computing systems for optical practice work is controlled. Maintenance of patient confidentiality could be better achieved through encryption of all mobile computing systems to NHS standards, although staff must still be provided with advice to ensure equipment is not stolen or lost. Hints and Tips The actions taken to protect mobile computing systems should be proportionate to the risks in the environment. Guidance to staff: Areas that could be covered in guidance to staff are: Locking the machine up overnight, or removal of the hard-drive or memory card (where possible) if the machine cannot be locked away; Not leaving the device unattended, e.g. on the seat of a car; Use of secure passwords to prevent unauthorised access to information stored on the computer;

Ensuring password security; and 31 Reporting the loss or theft of equipment promptly. Encryption: Personal data stored on a PC hard-drive or other removable device in a non-secure area or on a mobile computing device such as a laptop, tablet or mobile phone should be encrypted. It is recognised however that this may take some time to achieve and should be regarded as a long term aspiration. Practices should aim to achieve encryption of mobile devices before moving to encryption of desktop computers. N.B Some practice equipment that stores patient data (such as visual field screening equipment) will not be able to be encrypted as there is currently no way to achieve this. The risk to patient safety of not using the equipment is much greater than the risk of data loss. As an interim measure, if following a risk assessment it is felt that continued reliance upon unencrypted data is necessary for the benefit of patients, the outcome of the risk assessment must be reported to the most senior person in the optical practice, so that he/she is appropriately accountable for the decision to accept data vulnerability or to curtail working practices in the interests of data security. Guidance on the NHS recommended encryption algorithms can be found in Appendix 6. For optical practices that have obtained hardware from their optical practice system supplier, expert advice on encryption should be sought from the supplier. Backing-up and Maintaining Anti-virus Protection Mobile devices such as laptops are best configured so that data processed on them is synchronised to the network at the end of a session. If data is only saved to a local drive and the device is lost or damaged, so is the data. Only the minimum amount of data required should be carried on mobile devices to reduce the potential impacts of an unforeseen event. Care must also be taken to ensure that all mobile devices have their anti-virus / anti-spyware components regularly updated to protect against these types of attacks. Other Safeguards Consideration should also be given to strong access controls, user identification and authentication, secured wireless networks where used and encrypted transfer of information over the internet. If the staff member is also able to remotely access the optical practice system, e.g. by dialling in from home, a patient s home or another optical practice location. If using a remote access solution, optical practice contractors should satisfy themselves that applications comply with the NHS Code of Practice on Confidentiality, and seek expert advice where necessary.

32 Version April 2014 Level Evidence Required Resources Available Yes/No NA - If the optical practice does not use any mobile computing device, this requirement is not applicable. 1 Record of staff use of mobile computing devices 1 Evidence of guidance provided to staff who use mobile computing devices. 2 Evidence that staff are aware of the guidelines around the use of mobile computing devices. 2 Company Only Notes Companies will require a signed declaration from any sub contractors that the sub contractors are compliant with the above evidence requirements. Record sheets Mobile computing guidelines Staff signature list. Template declaration sheet for Companies who use sub contractors.

Requirement 319 33 Does the optical practice have documented plans and procedures to support business continuity in the event of power failures, system failures, natural disasters and other disruptions? This requirement relates to ensuring confidentiality and continuity of access to critical patient information, for example the optical practice management system, in the event of disruptions such as power and system failures. As the optical sector is very different to dentistry and pharmacy, the requirements will centre on helping the practice get back to normal as soon as possible. The major concern should be the safe retrieval and storage of practice computer systems and patient record cards. As patients do not have to register with an optical practice it is anticipated that if patients require eye care and their usual practice is unavailable they will simply seek a local alternative. Community service providers should notify their commissioner (e.g. LOC company or CCG) so that patients can be directed to the nearest available alternative provider. Level 0 The optical practice has no form of business continuity planning. Level 1 Putting in place a business continuity plan for critical information systems based on an assessment of risk. Level 2 Testing plans through table-top exercises and walk-throughs. Hints and Tips There are documented plans and procedures to support business continuity in the event of power failures, system failures, natural disasters and other disruptions.

34 Version April 2014 Level Evidence Required Resources Available Yes/No 1 Business impact risk assessment 1 Business continuity plan documented 2 Evidence of run through of business continuity plan. (a note below will be sufficient) 2 Company Only Companies will require a signed declaration from any sub contractors that the sub contractors are compliant with the above evidence requirements. Risk assessment sheet Business continuity sheet - Template declaration sheet for Companies who use sub contractors. Notes

Requirement 320 35 Does the optical practice have documented incident management and reporting procedures? Optical practices are required to allocate responsibility for information security to a staff member who can lead on information management and reporting. The optical practice also needs to have processes in place for managing and documenting information security incidents and staff should be aware of the actions they need to take in the event of an incident. Level 0 The optical practice does not have documented incident management and reporting procedures. Level 1 The optical practice has allocated responsibility for information security to a member of staff who will take the lead on incident management and reporting. Level 2 The optical practice organisation has documented incident management and reporting procedures. All optical practice staff are effectively informed about the incident management and reporting procedures so that they are aware of action to take in the event of an incident. Hints and Tips Incident Management Procedures: These procedures should detail: The need for and scope of the procedure; Procedures to be followed when incidents occur (managing incident, recording and reporting incident); Responsibilities of staff; and Any linked procedures referenced (e.g. the optical practice data handling SOP). Information Security Incident Log: All information security incidents should be documented, for example in an incident reporting log. The information that should be recorded should include: Date of incident (if identifiable); Location of incident (if identifiable); Details of staff involved (if identifiable and applicable); Description of incident;

36 Version April 2014 Degree of risk associated with the incident (correlates with risk assessment for data transfer); Any contributing factors; Remedial action taken following this incident; Suggested action to be taken to prevent a reoccurrence of this incident; and Whether the insurer has been informed. Incidents should be classified in the log according to severity of risk. Risk assessment methods commonly categorise incidents according to the likely consequences (for example, on a scale of insignificant to critical). Risk assessment guidance can be found in Appendix 7. Analysing and learning from incidents: Optical practices should analyse the following: Establishing that an incident has, in fact, occurred; Establishing that the responsibility for the incident lies with the optical practice; Evaluating the extent of the damage or risk to the optical practice as a result of the incident; Taking timely and appropriate remedial action; and Reviewing procedures to reduce the risk of the incident occurring again. Reporting information security incidents: The procedures for reporting information security incidents should be documented in the optical practice s incident management SOP. The information governance Lead and Information Security Lead (if different) should normally be routinely informed of incidents that occur. It may be appropriate to report the incident to others including the optical practice insurer and senior management. Although it is not mandatory to inform the NHS England Area Team of information security incidents, the optical practice information governance Lead or information security lead may wish to consider whether it is appropriate to inform the NHS England Area Team of serious incidents, for example if this is likely to lead to a patient complaint. Consideration should also be given to making a report to the police, for example in the event of data theft. It is also considered best practice to inform the Information Commissioner if the data loss is serious.

37 Level Evidence Required Resources Available Yes/No 1 Written assignment of responsibility for information security to staff member or members 2 Documented incident management procedures 2 Documented incident management reports 2 Evidence staff have been informed of information security incident management procedures 2 Company Only Notes Companies will require a signed declaration from any sub contractors that the sub contractors are compliant with the above evidence requirements. - Information security incident management SOP Information security incident log Staff signature sheet. Template declaration sheet for Companies who use sub contractors.

Requirement 321 38 Version April 2014 Does the optical practice ensure that there are appropriate procedures in place to manage access to computer-based information systems? The optical practice should put in place procedures to manage staff access to computer-based information systems (e.g. PMS) that store personal information. This includes the allocation and removal of user accounts and guidelines for optical practice staff to ensure they use information systems appropriately. The procedures should be regularly reviewed and audits undertaken to ensure compliance. Level 0 The optical practice does not have documented evidence that there are appropriate procedures in place to manage access to computer-based information systems. Level 1 The optical practice has documented procedures for allocating and managing access controls for users of optical practice information systems. Level 2 The optical practice has implemented its procedures and ensures that access to the optical practice system is restricted to authorised users only. Hints and Tips Extent of Access Controls Ideally, all optical practice users should be assigned an individual user ID. However, there is a balance between security and usability of systems, and it is recognised that individual staff logins may not be a practical option at this time, for example to control access to the PMS system by optical practice staff. Decisions on the extent of access controls applied should be taken by the optical practice contractor based on the risks of unauthorised access, the nature of the data and the impact on optical practice workload of any controls. The access control functionality in PMS systems is likely to develop over time. Developing Access Management Procedures Key points that the procedure should cover are: Scope of the procedures A summary of the technical access controls in place Contact your system supplier as necessary for more information. Procedure for granting access and which level of access. For example, who is responsible within the optical practice for making decisions on access rights? What arrangement is in place for locums who need temporary access?

39 Procedure for managing changes in access rights. For example, if a user leaves the organisation, their profile would need to be suspended or removed. Procedures for staff in relation to logging in to the system. Optical practice systems may provide password protection features such as: Users must change their password after the first logon; Users must specify complex passwords; Users must change their passwords periodically; Prevention of password reuse; User may change their password at their request. Requirements for periodic review of the procedures: The procedures will need to take account of changes made to the technical access controls in systems by optical practice system suppliers. Level Evidence Required Resources Available Yes/No 1 Name of contractor representative that approved the confidentiality code of conduct (e.g. make note below) 2 Evidence that staff have been made aware of the confidentiality code of conduct e.g. staff signature list 2 Evidence that the confidentiality code of conduct is available in the optical practice. (e.g. note below where it is stored) 2 Company Only Notes Companies will require a signed declaration from any sub contractors that the sub contractors are compliant with the above evidence requirements. - Staff signature list. - Template declaration sheet for Companies who use sub contractors.

Requirement 322 40 Version April 2014 Has the optical practice ensured that all transfers of hardcopy and digital personal and sensitive information have been identified mapped and risk assessed. Technical and organisational measures adequately secure these transfers. Level 0 The optical practice has not mapped any flows of personal information digital or hardcopy and does not have documented evidence that it operates safe haven procedures for personal information that flows routinely into the organisation. Level 1 The optical practice has identified and recorded its routine flows of personal and sensitive information both digital and hardcopy. Documented procedures for secure transfer and receipt of personal and sensitive information. Level 2 All information flows have been identified recorded and risks assessed. Remedial action has been taken where significant risk is revealed. Senior manager has signed off the procedures and all staff members (including temporary staff) have been informed. Hints and Tips Guidance on mapping and risk assessing information flows can be found in Appendix 6. Risks should be recorded. This record is sometimes referred to as a risk register. The template information flow map and table in Appendix 7 could serve as your risk register. Safe havens are all secure points at which confidential information is received. Level 2 The optical practice has data handling procedures in place to ensure digital information is adequately protected in transit and only exchanged in accordance with NHS Codes of Practice and NHS information governance standards. Relevant staff members are effectively informed about the secure transit requirements of digital information, in particular by email. Hints and Tips Possible modes of digital exchange of information are: efax, email, instant messaging (IM), portable data storage devices, secure messaging, SMS Messaging, web interfaces. Information that is transferred through the NHS CRS (including EPS) does not need to be considered as it is protected by the robust access control and confidentiality

framework developed by NHS CfH. 41 Detailed guidance on the risks involved in using different data transfer methods can be found in Appendix 6. Optical practices should take particular care with using portable data storage devices such as data sticks and email communications. The technical aspects of the security and encryption of electronic communications will be beyond the control of optical practices. Requirement 116 covers contractual controls for third parties. Level Evidence Required Resources Available Yes/No 1 Name of contractor representative that approved the confidentiality code of conduct (e.g. make note below) 2 Evidence that staff have been made aware of the confidentiality code of conduct e.g. staff signature list 2 Evidence that the confidentiality code of conduct is available in the optical practice. (e.g. note below where it is stored) 2 Company Only Companies will require a signed declaration from any sub contractors that the sub contractors are compliant with the above evidence requirements. - Staff signature list. - Template declaration sheet for Companies who use sub contractors. Notes

Appendix 1 42 Version April 2014 Requirement 114 (Information governance Lead) Baseline Rating (0-2) Work to be Undertaken to meet Level 2 Staff Member Responsible for Task Optical practice target date for completion of task 115 (Information governance policy) 116 (Contract clauses) 117 (Staff training) 209 (Offshore transfers) 212 (Patient consent) 213 (Patient awareness) 214 (Confidentiality code of conduct) 304 (Smart cards) 316 (Asset register) 317 (Physical security) 318 (Mobile computing) 319 (Business continuity) 320 (Incident reporting) 321 (Access to computer based information system) 322 (Transfer of data)

43 Appendix 2 Guide to carrying out an IG Toolkit Assessment Optical practices will need to carry out the following three steps to carry out an assessment: 1. Registration of the optical practice. 2. Completion of the assessment 3. Submission of the assessment Step 1: Registration of the Optical practice An optical practice must be registered to complete the online information governance assessment. Registration can be carried out by any individual nominated by the optical practice. Only one registration can be made per optical practice. The nominated individual should select the Register button from the menu of the Information Governance Toolkit (https://www.igt.hscic.gov.uk/); this displays the page in Figure 1. The organisation code can be obtained by contacting LOCSU or using the search tool located in the secure area of the LOCSU website. Click Next, you will be asked to confirm the details of your organisation. Click the Next button at the bottom of the form to confirm all of the information is correct. If you spot any errors, please notify the helpdesk immediately via exeter.helpdesk@hscic.gov.uk or telephone 0845 3713671. If you have not previously registered then you will see a message telling you that you are eligible to register online. Click Next, you will be presented with a form to fill out.

44 Version April 2014 Please ensure the email address is correct as this is how NHS HSCIC will contact the nominated individual with information about the Information Governance Toolkit. After completing the form you will be presented with Terms and Conditions which you should read and then tick the box to say that you accept them. Click Next once more and you will be presented with a page to Confirm Details. If the details are correct you should click Send Activation Email. This will send an email to the email account you registered, which will contain a link to complete registration. PLEASE NOTE: You must confirm registration within 1 hour of receiving the activation email. An email will be sent which will contain all of the registration details except the password. Step 2: Completing the Assessment Information is added to the assessment by: (a) Logging into the Information Governance Toolkit (using the information contained in the email along with your password) and selecting the Go to Assessments Section button: This brings up the Assessment Summary. This provides an overview of the status of the assessment including how many requirements have been answered. (b) Click Work On This Assessment to reveal a screen similar to the one below

45 Click on Answer next to a requirement to open it: This reveals a screen similar to below, and contains the requirement question and the attainment levels. There are also blue hyperlinks to Printable version (PDF) and Downloads and booklets. If you expand the section Attainment Levels, the evidence required for each Level can be seen, each sub section can be marked as obtained if you have completed the evidence from this booklet. There is an option to upload evidence to the website, but this is not mandatory. There is also a comments box to make a note of where the evidence for the requirement is kept.

46 Version April 2014 Expanding the Guidance section shows information on how to achieve each attainment level and links to legislation, government and national guidance, and examples of good practice from other organisations. The guidance online is inline with the guidance in this workbook although some of the requirements within this booklet have been adapted to reflect the optical practice setting more realistically. Compliance with the guidance booklet requirement will be sufficient to enable you to check the box that you have achieved the level. (c) For each requirement, as you check the boxes for the various parts of the attainment level a Current Rating will be created for you. You can also enter a Target rating for improvement (where necessary) and set a date by which the target level will be achieved. As you update each requirement, click the Save Rating button. Alternatively the record will also save by clicking Next. Clicking Done will take you back to the Requirements List.

47 It may be helpful to complete Appendix 1 with details of the optical practice s current rating to then transcribe into the Toolkit. The target rating for optical practices for all requirements is Level 2 by 31st March 2015. Step 3: Submitting the assessment Once you have recorded a level for all of the requirements you will be able to publish your result by clicking the Publish button. Note it is not possible to withdraw a submission so make sure the scores accurately reflect the assessment status of your optical practice before clicking the PUBLISH button. Otherwise, any improvements in scores should be entered in the next version of the Information Governance Toolkit. If a genuine error has been made the user should contact the Helpdesk at exeter.helpdesk@hscic.gov.uk or telephone 0845 3713671. The request will be considered by the Digital Information Policy team, but generally a submitted assessment would only be deleted after the deadline if there are extenuating circumstances. Once they have been submitted, the assessment and requirements can still be viewed from the assessment screen whilst a user is logged into the Toolkit. In the unlikely event that an assessment needs to be deleted it can be done by clicking the delete button on the Assessments page and ticking the confirm deletion box. This can only be done if the assessment has not already been submitted. Please note: if the assessment is deleted all requirements answered and scores entered will be lost and a new assessment will have to be created. Take care not to delete an assessment by accident. Multiples Currently each optical practice premises needs to be registered individually; the online Information Governance Toolkit does not support bulk-registration. It is possible for a Head Office staff member to centrally view the submissions of individual stores through a central log-in. To access this function, contact the Helpdesk (0845 3713671) with the name and address of the optical practice head office. Help Support in registering and using the toolkit is available from NHS HSCIC at: exeter.helpdesk@hscic.gov.uk or telephone 0845 3713671 If the user of the toolkit is leaving or has left the optical practice, please ensure that the Helpline is contacted so that another user can be registered to use the toolkit.

Appendix 3 48 Version April 2014 Briefing: Confidentiality and the Law There are a range of legal and ethical provisions that limit or prohibit the use and disclosure of personal information and, similarly, a range of provisions that require information to be used or disclosed in certain exceptional circumstances. The privacy of personal information and personal health data are governed by the Common Law and Article 8 of the Human Rights Act 1998 (which states that Everyone has the right to respect for his private and family life, his home and his correspondence ). The Data Protection Act 1998 reinforces the position through requiring all data processing to meet a range of requirements and to be lawful with extra protection for sensitive data such as health records. All optical practices are required to comply with the NHS Code of Practice on Confidentiality and there is a professional requirement on optometrists to comply with the College of Optometrists, Code of Ethics and Guidance for Professional Conduct which includes references to confidentiality. Data Protection Act 1998 The Data Protection Act 1998 (the DPA ) aims to promote high standards in the handling of personal information, and so protect the individual s right to privacy. The Information Commissioner is responsible for enforcing the DPA. The DPA applies to anyone holding personal information about living individuals therefore applies to all NHS optical practice contractors. The DPA requires organisations to comply with a number of legal responsibilities: to notify the Information Commissioner you are processing personal information; to process the personal information in accordance with the eight principles of the DPA; and to answer subject access requests received from individuals. Notification A notification form can be completed online (www.ico.gov.uk) then printed and sent with the notification fee which is payable to the Information Commissioners Office. The notification must be renewed on an annual basis (a renewal reminder is sent out). Failure to notify is a criminal offence. Only one notification is required per legal entity. This will cover any number of different branches or addresses where the data is processed. In recent years, a number of private companies have been contacting businesses throughout the UK demanding fees in excess of the notification fee to register/notify your business under the DPA. Do not be misled by these 'agencies'. They have no official standing or powers under the DPA and there is no connection between them and the Information Commissioner's Office.

The Eight Data Protection Principles 49 The DPA places obligations on those who process information (data controllers) while giving rights to those who are the subject of that data (data subjects). Under the DPA, anyone processing personal information must comply with the eight enforceable principles of good information handling practice set out below: The Eight Data Protection Principles Data must be: 1. fairly and lawfully processed; 2. processed for a specified purpose or purposes; 3. adequate, relevant and not excessive; 4. accurate and up to date; 5. not kept longer than necessary; 6. processed in accordance with the individual s rights; 7. protected by appropriate security (practical and organisational); 8. not transferred to countries outside of the European Economic Area without adequate protection. Under Principle 1, at least one of the following conditions must be met for personal information to be considered fairly processed: The six conditions 1. the individual has consented to the processing; 2. processing is necessary for the performance of a contract with the individual; 3. processing is required under a legal obligation (other than one imposed by the contract); 4. processing is necessary to protect the vital interests of the individual; 5. processing is necessary to carry out public functions, e.g. administration of justice; 6. processing is necessary in order to pursue the legitimate interests of the data controller or third parties (unless it could unjustifiably prejudice the interests of the individual). For sensitive personal information to be considered fairly processed, at least one of several additional conditions must be met. These include: Having the explicit consent of the individual; Being required by law to process the information for employment purposes; Needing to process the information in order to protect the vital interests of the individual or another person; Dealing with the administration of justice or legal proceedings. Sensitive personal information includes health records, information on racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, sex life information, criminal proceedings or convictions. Overseas Data Transfers Principle 8 of the DPA governs transfers of personal information and requires that it is not transferred to countries outside of the European Economic Area (EEA) unless that country has an adequate level of protection for the information and for the rights of individuals. The EEA is made up of the 27 EU Member States plus Iceland, Liechtenstein and Norway.

50 Version April 2014 Countries outside of the EEA, known as third countries, currently deemed to have an adequate level of protection for personal data are: Argentina, Canada, Guernsey, Switzerland and the Isle of Man. Personal information can also be transferred to companies in the USA that have signed up to the safe harbor' agreement. These companies have agreed to abide by a set of rules similar to those found in the DPA. More information can be found in the Information Commissioner s guidance Information Commissioner: The Eighth Data Protection Principle and International Transfers. Information about overseas transfers of information must be included within the optical practices data protection notification to the Information Commissioner. Note, Department of Health guidelines on overseas information transfers are more restrictive than the DPA and these require that personal information is NOT transferred outside of the UK unless appropriate assessment of risk has been undertaken and mitigating controls put in place. The Rights of Individuals under the DPA The DPA also enforces seven rights of individuals: 1. The right to subject access This allows people to find out what personal information is held about them. 2. The right to prevent processing Anyone can ask a data controller not to process information relating to him or her that causes substantial unwarranted damage or distress to them or anyone else. [Note: Although a patient could demand that there is no record made on the practice management system the Terms of Service provide a statutory requirement for the entry so the patient would have to accept that they cannot receive the NHS service (in this case the processing of personal information is warranted irrespective of any evidence the patient is able to provide of distress of harm that is being caused to them or someone else).] 3. The right to prevent processing for direct marketing Anyone can ask a data controller not to process information relating to him or her for direct marketing purposes. 4. Rights in relation to automated decision-taking Individuals have a right to object to decisions made only by automatic means e.g. there is no human involvement. 5. The right to compensation An individual can seek compensation from a data controller for damage and distress caused by any breach of the DPA. Compensation for distress alone can only be sought in limited circumstances. 6. The right to rectification, blocking, erasure and destruction Individuals can apply to the court to order a data controller to rectify, block or destroy personal

51 details if they are inaccurate or contain expressions of opinion based on inaccurate information. 7. The right to ask the Commissioner to assess whether the DPA has been contravened If someone believes their personal information has not been processed in accordance with the DPA, they can ask the Commissioner to make an assessment. If the DPA is found to have been breached and the matter cannot be settled informally, then an enforcement notice may be served on the data controller in question. Subject Access Requests Individuals have a right under the DPA to make a request in writing for a copy of the personal information that is held about them. This is called a subject access request. They are also entitled to be given a description of the information, its purpose, who it might be passed on to and any further information about the source of information. Data controllers can ask for any information which they reasonably require in order to verify the identity of the person making the requests and to locate the data. Once a request has been received, Data controllers have to provide a copy of the requested information within 40 days. Data controllers may charge a fee of up to 10 for responding to a subject access request where information is stored on a computer. If the record consists of both a computerised and a manual record, up to 50 can be charged. If the request is not received in writing or the individual is not willing to pay the fee, it is not obligatory to provide the information. Human Rights Act 1998 Article 8 of the Human Rights Act 1998 establishes a right to respect for private and family life. This underscores the duty to protect the privacy of individuals and preserve the confidentiality of their health records. Current understanding is that compliance with the Data Protection Act 1998 and the common law of confidentiality should satisfy Human Rights requirements. Any decision to override a duty of confidence in the public interest must be consistent with the rights described in Article 8. This requires that any disclosure of personal information must be necessary and proportionate: Disclosures must be necessary to achieve the purpose (e.g. the risks of non-disclosure should be identifiable, real and arising in the foreseeable future) and limited to the relevant details. Each disclosure must be considered on its own merits. The public interest served by the disclosure must outweigh the competing public interest in protecting the confidentiality of the individual s health information and more generally in the provision of a confidential health service. Common Law Duty of Confidence Decisions taken by the UK courts, together with ethical duties of confidentiality placed on optometrists and other clinical professionals, have resulted in personal health information being treated with a much higher degree of sensitivity that most other types of personal information. This has resulted in acceptance that personal health information can only be disclosed to a third party when: the patient provides explicit consent; or there is a legal requirement to do so; or

52 Version April 2014 there is an overriding public interest (for example, to prevent a serious crime from taking place). Confidentiality NHS Code of Practice The Confidentiality NHS Code of Practice is a guide to required practice for those who work within or under contract to NHS organisations and is concerned with issues surrounding confidentiality and patients consent to the use of their health records. The aim of the Code is to ensure that all patient information is processed fairly, lawfully and as transparently as possible by NHS staff and contractors so that the public: understand the reasons for processing personal information; are asked for their consent for the disclosure and use of their personal information; gain trust in the way the NHS handles information and; understand their rights to access information held about them. NHS GOS Contract Confidentiality of personal data The General Ophthalmic Services (GOS) contract contains the following clause: 56. The Contractor shall nominate a person with responsibility for practices and procedures relating to the confidentiality of personal data held by it. College of Optometrists Code of Ethics and Guidance for Professional Standards: The College of Optometrists Code of Ethics also requires that all optometrists and optical staff take all reasonable steps to prevent accidental disclosure or unauthorised access to confidential information and ensure that confidential information is not disclosed without consent, apart from where permitted to do so by the law or in exceptional circumstances. Failure to adhere to these standards could form the basis of a complaint of professional misconduct. The Caldicott Principles The December 1997 Caldicott Report identified weaknesses in the way parts of the NHS handle confidential patient data. The report defined six Caldicott principles which provide a framework for the management of access to personal information with the NHS.

Caldicott Principles 53 Principle 1 Principle 2 Principle 3 Principle 4 Principle 5 Principle 6 Justify the purpose for using confidential information Only use identifiable information if absolutely necessary Use the minimum that is required Access should be on a strict need to know basis Everyone must understand their responsibilities Understand and comply with the law Deceased patients The records of deceased patients must be treated with the same level of confidentiality as those who are living. The Access to Health Records Act 1990 governs access to the health records of deceased patients. Further information about the requirements of this Act can be found at www.dh.gov.uk.

Appendix 4 54 Version April 2014 Briefing: Consent and the Law What is Consent? The Oxford English Dictionary defines consent as permission or agreement. In the healthcare context, consent is a person s agreement to receive a treatment or professional service that is appropriate to their needs. The securing of consent for any health intervention, whether or not it involves physical contact, is essentially the embodiment of respect for the patient s autonomy Wingfield J. Consent: The heart of patient respect. Pharm. J. (2007) 279: 411 Why is consent important? Administration of a treatment to a patient without their consent, involving any kind of physical contact may leave a practitioner open to a charge of battery (non-consensual physical contact) or negligence (failure to inform the patient and seek consent) under English law. Consent extends to all decision-making about a patient s healthcare, including the storage, use and disclosure of patient information collected to support the clinical care of the patient. The NHS Confidentiality Code of Practice stipulates that patients should give their consent for the disclosure and use of their personal information by health professionals. Consent can be implied where the disclosure is to other healthcare professionals involved in the patient s care; other disclosure will require the patient s explicit consent. Under the Data Protection Act 1998, the optical practice contractor is the data owner, and eight general data protection principles apply (discussed in detail in previous section on Confidentiality and the Law). For the first of these, that data are fairly and lawfully processed, consent is one of the conditions that can evidence the processing being done is fair and lawful. What is valid consent? Consent may be implied or explicit. Implied consent is where the patient indicates their consent by their action. For example, when a patient attends for a sight test, they are giving implied consent for the optical practice staff to perform the usual functions of sight testing. Explicit consent is where the patient actively indicates their consent, either verbally, or in writing (by completing and signing a form). For consent given to be valid, the following criteria must apply: 1. The patient must have the capacity to make the decision in question, and to understand the information provided during the decision making process. 2. The patient must be given sufficient information to be able to make an informed decision about the service they are being offered. 3. The patient must make the decision voluntarily, i.e. they must not be coerced or put under pressure to make a certain decision.

Capacity 55 Adults over the age of 18 are presumed to have capacity to make decisions about their healthcare. Young children and patients who have mental disorders (for example, dementia) may not have the capacity to make some decisions about their healthcare. Optometrists and Dispensing Opticians are reminded of the principle set out in the Fraser Guidelines (sometimes referred to in terms of Gillick competence ) whereby a person under the age of 16 can give consent if he or she has sufficient understanding and intelligence to enable him or her to understand fully what is proposed. However, in England and Wales, where young people under the age of 18 refuse to give consent, their decision may, in exceptional circumstances, be overridden by the courts, where this is considered to be in the young person s best interests. Traditionally, assessment of a patient s capacity to give consent for a treatment has been left to the discretion of the practitioner, based on his or her experience and judgement. Recently, the concept of capacity has become more well-defined legally due to case law, and the Mental Capacity Act 2005 has established principles and safeguards for vulnerable adults. The principles of the Mental Capacity Act, 2005, are as follows: Every adult is presumed to have capacity; Individuals have the right to be supported to make their own decisions; Individuals retain the right to make what might be seen as eccentric or unwise decisions; Interventions for people without capacity must be the least restrictive possible; Any action taken on behalf of a person without capacity must be in their best interest (not that of the health professional or their organisation). Informed Consent The optometrist or dispensing optician should ensure that the patient has sufficient information (clear, accurate and presented at a level that the person can understand) to make the decision in question. Care should be taken to address any particular communication needs (poor sight/hearing, or a language barrier), and the person s understanding of what has been asked should be confirmed. Optometrists and dispensing opticians should bear in mind that research indicates that the explanation given (appropriate level of detail, quality of communication etc.) has a bearing on the likelihood of consent being given. Voluntary Consent The patient s consent should be given voluntarily and without any coercion. Optometrists and dispensing opticians should bear in mind that some people may adopt inappropriately passive roles if they are distressed or in pain. Optical practice staff should never put pressure on patients to provide information or to give consent for information to be shared, in order to meet commercial objectives and targets in service development. Another important aspect of voluntary consent is that the patient should be able to change their mind at any time about the treatment or service being offered, and rescind the consent they have given.

56 Obtaining Consent to Store Information about Patients Version April 2014 In accordance with the Data Protection Act 1998, optical practices are required to obtain a patient s consent to store information about them to support services provided, stating the purpose for which the information is being collected. However, the NHS General Ophthalmic Services (GOS) Contract 2010 require optometrists to keep and maintain records of examinations and appliances provided and also of advice given and any intervention or referrals made. In these cases, because the legislation requires the record, patient consent is not required to store and maintain the record, but patients should be made aware that records are being kept for them and the purpose for which the records are used (see Information Governance Requirement 213). If patients refuse consent they should be advised of the consequences of being unable to access the NHS General Ophthalmic services. An optical practice should seek explicit, informed consent from a patient to process information, including storing personal data to support those optical practice services where the keeping of records is not mandated in statute. For example, patient s consent is required to share personal information linked to the delivery of a community service. College of Optometrists, Code of Ethics and Guidance for Professional Conduct indicates that obtaining consent is an ongoing process not a single event. Consequently, as well as obtaining consent when the service is offered to patients, optical practices should, where practical, review the patient s consent when there are significant changes to the service being offered. In the context of collecting information from a patient to support a service, this might include: If the patient s circumstances change; If new information is required from the patient to provide the same service; If the procedure for service provision changes; If the patient data needs to be stored in a different location; If a change in procedure requires routine disclosure of information to a third party in order to provide the service; If a third party requests disclosure of information for a particular patient. Optical practices should ensure that they have a standard operating procedure (SOP) for obtaining consent from patients to collect and store information to provide optical services. Information Sharing Disclosure of patient information without the subject s explicit consent other than where consent is implied or there is a specific exception (see below) generally constitutes a breach of the Data Protection Act, 1998, as well as of the common-law duty of confidence. College of Optometrists Code of Ethics and Guidance for Professional Standards: The College of Optometrists Code of Ethics also requires that all optometrists and optical staff take all reasonable steps to prevent accidental disclosure or unauthorised access to confidential information and ensure that confidential information is not disclosed without consent, apart

57 from where permitted to do so by the law or in exceptional circumstances. Failure to adhere to these standards could form the basis of a complaint of professional misconduct. Disclosure of Information without Patient Consent Optical practices have a duty to safeguard personal data and not to disclose patient data to a third party without the subject s consent. Unauthorised disclosure of patient identifiable data collected under the Data Protection Act 1998 (disclosure without the patient s consent) constitutes a breach of the Act. There are a few exceptions to this, where disclosure may be made without the patient s consent: Where the patient s parent, guardian or carer has consented to the disclosure and the patient is deemed by law to be, or appear to be, incapable of consenting; Where disclosure is to a person or body empowered by statute to require disclosure of that information; Where disclosure is directed by HM Coroner, a judge or presiding officer of a court, Crown Prosecution Office in England or Wales, or Procurator Fiscal in Scotland; Disclosure to a police officer or NHS fraud investigation officer who provides, in writing, confirmation that disclosure is necessary to assist the prevention, detection and prosecution of serious crime; Where necessary to prevent serious injury or damage to the health of a patient, a third party or to public health; Where disclosure is necessary for the protection of children or vulnerable adults. Before releasing information about a patient without the patient s consent, optical practices should, where possible, endeavour to persuade the patient to release the information themselves for the purpose for which it is required, or to give their consent for the information to be released, unless consulting the patient would itself hinder or defeat the purpose of the disclosure. The reasons for disclosing personal information without consent should be fully documented in all cases. Where records are deliberately accessed without authority, the individual may face criminal charges. Optometrists and dispensing opticians may also face disciplinary action by the General Optical Council for a breach of professional standards.

Appendix 5 Guidance on Specific Data Transfer Routes Physical Transfer 58 Version April 2014 Using postal/courier services Hardcopy documents are still routinely used in optical practices, for example spectacle prescription forms, GOS forms and referral letters GOS 18. The optical practice contractor should decide, based on a risk assessment, whether information should be sent by post or courier, for example based on the volume and sensitivity of information being sent. Verbal Communications The security and confidentiality of telephone and personal conversations should be considered within the optical practice s code of practice on confidentiality as well as SOPs and staff training. Recorded messages Recorded telephone messages may contain personal or sensitive information such as names and addresses of patients phoning about spectacle prescriptions or referrals, details of health professionals phoning with queries about patients or applicants for jobs advertised. Consideration should be given to which staff members have access to answering machines. Password protected voicemail boxes can be used to control access where this functionality is available on the phone. IP Phones IP phone systems use voice over IP technologies to allow telephone calls to be made across an internet connection rather than via standard telephony. IP phones are subject to similar security risks to un- secured email, for example eavesdropping, traffic sniffing and unauthorised re-routing. The level of risk will depend on the size and architecture of the IP phone deployment and optical practices wishing to implement this technology to transfer personal or sensitive data should seek expert advice from an appropriate information security professional. Fax Communications Fax communications are routinely used in optical practices for example, to receive copies of records and to send referral letters. Best practice in sending and receiving faxes is: 1) The sender to phone the recipient to advise them that a fax is about to be sent. 2) The sender should double-check the fax number and, where possible, use fax numbers that are pre-programmed into the fax machine. Note some NHS organisations have a fax machine designated to be used for confidential information. 3) The fax should be sent with a cover sheet stating who it is intended for, and marked Private & Confidential to a named recipient. 4) The sender should ensure the original document is removed from the fax machine. 5) The recipient should remove the fax from the machine on receipt.

6) The recipient should contact the sender to confirm receipt and that the fax will be appropriately dealt with and safely stored. In optical practices, if the fax machine is receiving personal information, it should be sited in a safe haven, for example staff only areas, where access to the machine is controlled. 59 efax efax software allows users to send or receive a fax via a computer rather than a fax machine. The information governance risks for efax are therefore a combination of the risks linked to email and standard fax communications. There is currently no efax service recognised as being sufficiently secure to support the routine transfer of patient personal data. E-mail Communications NHSmail is currently the only NHS approved method for exchanging patient data by email, but only if both sender and recipient use an NHSmail account or if sending to another government secure domain such as: GSi (*.gsi.gov.uk) CJX (*.police.uk or.pnn.police.uk) GSE (*.gse.gov.uk) GSX (*.gsx.gov.uk) GCSX (*.gcsx.gov.uk) SCN (*scn.gov.uk) CJSM (*cjsm.net) MoD (*.mod.uk) Other email services should not normally be used for sending personal or sensitive information. Work is ongoing to facilitate an NHSmail address for all optical practices and community optical practice staff that require one. More information about NHSmail for optical practice staff is available from the Optical Confederation. Where NHSmail is used to send sensitive information, this should be clearly indicated in the subject header, for example marked Confidential. One interim option for optical practices that do not yet use NHSmail is to transmit personal information as an encrypted attachment. The NHS recommendation is for AES256 encryption to be employed. This standard is available when using applications such as PGP or WINZIP version 9 or above. With these products the data can be put into a Self Decrypting Archive (SDA). The sender should check beforehand that, the recipient also has WinZip and therefore will be able to de-crypt the attachment. The pass phrase for the archive must be of an appropriate length and complexity. To ensure the safety of data in transit the pass phrase should be communicated to the recipient separately from the encrypted data so that the intended recipient is the only one able to decrypt the data. As well as software requirements, consideration would also need to be given to staff training and the workload involved in creating, opening and decrypting an archive. Care would need to be taken to ensure no sensitive information is included in the email itself.

60 Version April 2014 When emails including attachments are received containing personal or sensitive information, either via NHSmail or encrypted attachments from other email solutions, they should be stored appropriately on receipt, for example incorporated into the practice management system and deleted from the email system when no longer needed. Some companies monitor emails for malicious codes or misuse. Where this is undertaken, organisation email and internet policies should include guidance for staff on what monitoring is being routinely conducted. Comprehensive guidance is available in the Employment Practices Code which has been produced by the Information Commissioner s office. SMS Text Messages There are various potential applications for text messages in the provision of optical practice services, for example patient reminders to collect spectacles or attend an appointment. Key considerations when using text messages are: 1) Is the mobile phone number correct? 2) Is the mobile phone receiving the text message being used by the intended recipient of the message? 3) Has the message been received, and what provision is there to audit message receipt? 4) Text messages may be stored on SIM cards and/or the mobile phone itself and are typically only cleared when overwritten (not necessarily when erased) - as mobile phones are easy to misplace or may get stolen, there a danger of a breach of confidentiality occurring. Text messages should not normally be used to convey sensitive information, for example referrals, and the use of text messages for the transfer of personal data should be kept to a minimum. For example, a reminder to collect spectacles does not need to include the prescription. Optical practices should carefully weigh the benefits of using text messages to convey patient information against the risks of doing so. When consent is sought for patient reminder services, patients should be informed of what information will be included in standard SMS messages sent to them via the service. Electronic Messaging Software Electronic instant messaging (IM) software, such as MSN Messenger and Yahoo! Messenger presents a number of information governance risks to users: 1) IM software is particularly vulnerable to malware, such as virus, Trojans and worms. 2) In many IM services, data is unencrypted. Such services therefore do not provide sufficient security for transmission of patient data, as they are at risk of unauthorised access and electronic surveillance. 3) In many IM services, there are no audit trails of access and transmission. The NHS Care Records Guarantee has a requirement for systems to maintain audit trails for the access and transmission of patient data. 4) IM services can be used to bypass restrictions on what can be sent as e-mail attachments. IM software is therefore not suitable for use for the transmission of personal data. Whilst it is possible that solutions will be developed in future which offer the necessary security and audit controls, there are no IM solutions currently recognised by the NHS as being suitable for transmission of personal information. Optical practices wishing to implement this technology to transfer personal or sensitive data should seek expert advice from an appropriate information security professional.

Web Applications There are a number of web applications that collect and transfer sensitive or personal information, for example online platforms to support the recording of community services. Optical practice contractors should satisfy themselves that applications used to support the delivery of NHS services comply with the NHS Code of Practice on Confidentiality and have appropriate information security measures in place to prevent unauthorised or unlawful processing or accidental loss, destruction, or damage of personal information. 61 Remote Desktop Access Software by Optical practice Staff. There are a number of commercially available remote access solutions that provide an instant secure connection from one PC to another across the internet. For example, this could be used to provide access to a computer in a GP practice or a hospital from within the optical practice or it could be used by a optometrist or dispensing optician with a wireless internet solution undertaking a service outside the optical practice to remotely access records within the optical practice. NHS HSCIC has opted not to approve any remote connection providers but some solutions have been given support by certain Area Teams. If using a remote access solution, optical practice contractors should satisfy themselves that applications comply with the NHS Code of Practice on Confidentiality, seeking expert advice where necessary. Virtual Private Networks Some optical practices may wish to create Virtual Private Networks (VPNs) within their business, for example to allow the Head Office secure access to a computer in a particular branch. Expert advice on VPNs should be sought from optical practice system suppliers. Portable Data Storage Devices and Mobile Computing Devices Portable data storage devices, such as data sticks (also known as USB sticks or pen drives) and also mobile computing devices such as laptops, tablets and smartphones, are often used in optical practices. Best practice requires that personal or sensitive data should only be held on portable data storage devices when it is essential to patient care, and if so, should be encrypted, according to NHS data standards. In addition, the device should be protected by a strong and secure password. It is recognised that for some devices such as laptops, encryption may take some time to achieve. Therefore, if following a risk assessment it is felt that continued reliance upon unencrypted data is necessary for the benefit of patients, the outcome of the risk assessment must be reported to the most senior person in the optical practice, so that he/she is appropriately accountable for the decision to accept data vulnerability or to curtail working practices in the interests of data security. Expert guidance on encryption of computers should be sought from system suppliers. NHS Encryption Standards The NHS information governance data encryption algorithms currently applicable are 3DES, AES 256 or Blowfish. These algorithms should be used with a recommended minimum key length of 256 bits where available. Secure memory sticks that comply with NHS standards (e.g. 256-bit AES256 hardware encryption) are now freely available to buy off-the shelf from IT retailers. Some devices

62 Version April 2014 automatically enforce formation of a strong and therefore more secure password. An alternative option to using an encrypted memory stick is to encrypt the file itself held on the memory stick. The NHS recommendation is for AES256 encryption to be employed. This standard is available when using applications such as PGP or WINZIP version 9. If portable data storage devices are being transferred between sites or organisations, for example data sticks with patient records; they should be properly packaged and clearly labelled to ensure they are handled correctly. The password should be transferred separately to the device, e.g. if the device is posted, the password should be sent in a separate envelope or communicated through a different route such as by phone. No more than the minimum amount of data needed to support the work being done should be stored on a portable storage device. The greatest security risk with portable devices is the loss or theft of the device itself. Users should therefore: 1) Keep devices in a safe and secure place, wherever they are being used. 2) Ensure appropriate encryption is applied to the device or the data. 3) Report loss, theft or suspected unauthorised disclosure of data immediately. 4) Consider remote data wiping functions for Tablets and mobile phones. 5) Not store devices and access tokens in the same location. Wireless Networks There is an emerging use of wireless networks within optical practices, for example to support connecting laptops in a consultation area to the practice network without the need for cabling. Expert advice (e.g. from optical practice system suppliers) should be sought to set up a wireless network in an optical practice. Some suppliers have chosen not to support or endorse wireless networks.

Appendix 6 63 Guidance on Data Mapping and Risk Assessment A key requirement of information governance assurance is to map and record all routine flows of personal information (Requirement 208). This is then used to identify risks associated with data transfer so that appropriate measures can be taken to remove or mitigate the risks. Step 1: Mapping Flows Only routine (including annual) flows of sensitive or personal information should be considered in the mapping exercise (i.e. flows that occur on a regular basis). Bulk data flows, in particular, should be mapped. There are four elements to consider for every transfer: 1. Data Items: the information being transferred, for example, an MUR form, prescription information, enhanced services information; 2. Format: for example, hardcopy MUR form, hardcopy prescriptions, email or information uploaded to online systems that collect information such as websites to support the delivery of enhanced services; 3. Transfer Methods: for example post, fax or email. National NHS Applications such as EPS can be excluded. 4. Location of the recipient, for example NHS Prescription Services, the GP surgery or NHS Area Team office. It is not necessary to give a name to every single location if the same data format and transfer method are used, for example if the optical practice sends GOS 18 forms to local GP surgeries, there is no need to list the address of every GP surgery. A template information flow map for an optical practice can be found on page 60. This should be locally tailored. Step 2: Identifying and Categorising Risks It is important that any risks in transferring personal or sensitive information are identified as a result of the mapping process. The table below provides a method of allocating a basic grading system of High, Medium or Low to the security risk afforded by a particular transfer method. It compares the impact of data loss, for example the impact on patients and the optical practice business and cross references this with the likelihood of data being lost. Catergories of Risk Likelihood IMPACT Probable Possible Unlikely Rare Negligible Critical High High High Medium Low Major High High Medium Medium Low Moderate High Medium Medium Low Very Low Minor Medium Medium Low Low Very Low Insignificant Low Low Very Low Very Low Very Low

64 Version April 2014 Impact definitions / Incident Classification This impact classification system can also be used to classify information security incidents. Insignificant Minor Moderate Major Critical Minimal discernable effect on patients or the optical practice Minor breach, for example data lost, but files encrypted, less than five patients affected. Inconvenient to the optical practice but manageable. Moderate breach, for example unencrypted clinical records lost, up to 20 patients affected. Potential for damage to the optical practice s reputation. Serious breach, for example unencrypted clinical records lost, up to 1,000 patients affected or particular sensitivity e.g sexual health information disclosed. Potential for damage to the optical practice s reputation and/or media coverage Serious breach in terms of volume of records for example over 1,000 patients affected or particular sensitivity of records. Damage to the reputation of the NHS and the optical profession. Potential for national media coverage.

Data Flow Attributes Is the data bulk data? (concerning 51 or more subjects) Is the data sensitive data? Is the data going outside of the optical practice premises and/or the optical practice organization. Is the data being transferred overseas? What is the method of data transfer? 65 Guidance Bulk data transfer carries higher risk than individual data transfer. Sensitive data carries a higher risk than transfer of other types of data. Data going outside the optical practice premises and organisation carries a higher risk than data remaining in the optical practice premises. Transfer outside of the UK and the European Economic Area carries a higher risk than transfer to another location in the UK. 1. Automatic system transfer is high risk if via an insecure network. 2. Courier transfer id high risk if the optical practice does not have a contract with a courier company. 3. Email is high risk, but can be reduced if sender and recipient use NHSmail, or use an alternative encryption that meets the NHS IG standard, and confirmation of recipient s address. 4. Fax is high risk if safe haven is not implemented. 5. Hand deliveries are high risk due to the risk of loss (if a removable storage device is used it must be encrypted to reduce the risk). 6. Post risk reduced by use of a) sealed envelopes, b)track and trace postal services. (If a removable storage device is used it must be encryoted). 7. Text messaged are high risk (use only for nonsensitive data) Step 3: Recording Risks A record of risks is commonly referred to a risk register. All information governance risks identified in step 2 should be recorded in an information governance risk register. The table on page 63 could be used as the optical practice s risk register. This has been pre filled with all of the common data flows. Any appropriate additional data flows should be added if the optical practice has any transfers not covered by the generic. Step 4: Reporting and Mitigating Risks. In some circumstances, the necessities of patient care may justify a degree of risk for a period, but where possible, plans should be developed for securing the data flow as soon as possible. Where significant risks are highlighted by the mapping exercise, immediate action should be taken to either suspend the transfer of information until remedial action can be taken, or to transfer the information by another, more secure method.

66 Version April 2014 Any significant risks should be reported by optical practice staff to the optical practice s information governance Lead. Optical practice Map of Information Flow The diagram below shows the standard map of data flow for optical practices. Any additional data flow can be added to the blank boxes. Patient or guardian NHS England CCG Optical practice HES GP Another optical practice Glazing Lab Wholesale supplier Tertiary Ophthalmology service Telephone & Personal Conversations: Mapping can only be carried out on tangible information flows and where physical evidence of the information exists. If telephone calls are recorded or discussions transcribed to tapes etc. which are then routinely sent to different locations, these will count as data flows. The security and confidentiality of telephone and personal conversations is clearly very important but must be addressed through policies, procedures and staff training. Transfers within an Optical Practice Company: Transfers within an optical practice company do not need to be documented in this mapping exercise; however optical practice companies should ensure they meet their legal obligations including compliance with the Data Protection Act.

Data Flow Risk Register 67 Describe the nature of the information flow between the Optical practice and the external organisation, e.g. data item, format, transfer method Patient or Guardian Referral letter copies, Prescription copies, Patient Recall letters, patient record copies. Identify the type and risk level of breaches of confidentiality Low Describe the measures taken to mitigate the risk of breaches in confidentiality of information that is passed between the optical practice and the external organisation Information only sent to Confirmed patient address by mail. NHS England NHS sight test vouchers and NHS optical vouchers CCG Payment forms for Community services Low Low Forms sent by recorded delivery or delivered by practice staff member Forms sent by recorded delivery or delivered by practice staff member HES Referral letters Low Sent by post, fax to safe Haven, or email using NHS Mail or encrypted email. GP Referral letters Low Sent by post, fax to safe Haven, or email using NHS Mail or encrypted email. Another optical practice Spectacle prescription copy, Contact lenses prescription Copy. Low Sent by post, fax to safe Haven, or email using NHS Mail or encrypted email. Telephone if patient identity can be verified and consent obtained. Glazing lab Spectacle prescription Low Minimum data sent, order Number or surname identifier Used. Wholesale supplier Contact lens prescription, Spectacle prescription Low Minimum data sent, order Number or surname identifier Used. Tertiary Ophthalmology Service Tertiary Ophthalmology Low Service Sent by post, fax to safe Haven, or email using NHS Mail or encrypted email.